Security Requirements for Key Establishment Proof Models: Revisiting Bellare-Rogaway and Jeong-Katz-Lee Protocols

We observe that the definitions of security in the computational complexity proof models of Bellare & Rogaway (1993) and Canetti & Krawczyk (2001) require two partners in the presence of a malicious adversary to accept the same session key, which we term a key sharing requirement. We then revisit the Bellare–Rogaway three-party key distribution (3PKD) protocol and the Jeong–Katz–Lee two-party authenticated key exchange protocol T S2, which carry claimed proofs of security in the Canetti & Krawczyk (2001) model and the Bellare & Rogaway (1993) model respectively. We reveal previously unpublished flaws in these protocols where we demonstrate that both protocols fail to satisfy the definition of security in the respective models. We present a new 3PKD protocol as an improvement with a proof of security in the Canetti & Krawczyk (2001) model and a simple fix to the specification of protocol T S2. We also identify several variants of the key sharing requirement and present a brief discussion.